Authorization using filters in Java EE

I have mongodb base with use开发者_如何学Pythonrs and passwords. I have a jsp file with a form for authorization. filter should be check - authorized user or not. Servlet should authorize user if he not authorized.

Please give simple examples of how to do it.

• how to verify an authorized user or not?
• The user is not logged. Suppose a user is in the database. How it

  authorize?

sorry for bad english.

Here's a scenario:-

1. User enters a secured page.
2. Filter intercepts user request.
3. Filter retrieves User object from session.
4. If User object exists, allow user to the secured page.
5. If User object doesn't exist, redirect user to the login page.

When the user submits the credential from the login page:-

1. System authenticates user using the provided credential against the database.
2. If authentication is successful, system stores User object in the session and displays welcome page.
3. If authentication is not successful, system brings user back to the login page.

Java EE implementations typically allow you to set-up login modules. Those contain the actual code for doing authentication with a lot of different systems. These include a local XML file, a database, LDAP, Kerberos and quite a bunch of others.

You don't have to write those yourself, they are already provided for you.

Your code only triggers authentication (or declares resources to be protected and Java EE triggers authentication for you) and knows nothing about the actual authentication mechanism. The actual authentication is typically configured outside your code. Some Java EE implementations allow you to specify this within your EAR (e.g. via a -service.xml file on Jboss AS).

A potential disadvantage is that these modules are specific to your Java EE implementation (e.g. JBoss AS, Glassfish, etc). If you configure it outside your code, someone has to redo this again for each different Java EE application server you want to run your code on.

Next to that, the ways in which Java automatically triggers authentication for you (declarative security) are rather crude. More often the triggering of it is done programmatically, so you have greater control over how your login box works and when it exactly takes place.

See the following for a nice write up how to do this: http://it-result.me/servlet-3-programmatic-authentication-api/

Alternatively, there is indeed also the way limc explains. Via that approach, you completely ignore the APIs Java EE offers for this and just build your own code that typically queries a DB and stored some object into the HTTP session. The disadvantage here is that your security context does not automatically propagate and you have to manually pass along this object or provide the code that needs to check for the authentication with access to the HTTP session.

Especially for business beans accessing the HTTP session is a bad practice.

Finally, Seam 3 promises to build a portable CDI extension for security concerns, which might be a big help if/when it comes available.